Now Reading
BitDefender says S5Mark VPN malware has been active since 2012, Windows 10 most affected OS

BitDefender says S5Mark VPN malware has been active since 2012, Windows 10 most affected OS

by AshwinJune 20, 2018

Renowned antivirus and security research company, Bitdefender has found a new threat called the S5Mark VPN malware. More specifically it is a rootkit which is named Zacinlo.

Alarmingly, the report says that 90% of computers which had been infected by this malware, were running Windows 10. It actually gets worse, the S5Mark VPN malware has actually been active since 2012. For those of you watching from home, that is 6 years of existence in the wild. So, how was it not spotted earlier? Apparently, the rootkit was distrubuted as an adware, which was most active in late 2017.

The adware was distributed by a free and anonymous VPN service called S5Mark, which when installed on the computer, disables Windows Defender temporarily by using a Powershell command. Then it silently downloads the rootkit in the background and installs it, and re-enables the real-time monitoring of Windows Defender.

S5Mark VPN malware

The fake VPN’s GUI tricks the user into believing that a VPN connection has been established, while in reality, the rootkit is communicating with a malicious server, and the drivers for which were signed with expired certificates pertaining to Chinese companies. The origin of the malware remains unknown.

The report says that the S5Mark VPN Malware targets antimalware products from Bitdefender, Qihoo, Kingsoft, Malwarebytes, Symantec, Panda, HitmaPro, Avast, Avg, Microsoft, Kaspersky, Emsisoft and Zemana, and blocks the antimalware services in these software. Scary right?

The malware uses MITM methods and can hijack web browsers like Internet Explorer, Firefox, Chrome, Edge, Opera, Safari, etc. It can even take screenshots of the content on your screen and send it to the attacker. The rootkit is highly modular, and can receive commands from the command center used by the malware’s creators.

The Zacinlo rootkit is also capable inject its own ads or even open webpages in the background. It uses persistent methods to hide itself, even copies the rootkit files and updates the registry to ensure that it survives reboots.

Zacinlo was found to have infected a large number of systems in the USA, followed by much lower numbers in France, Germany, Brazil, China, India, Indonesia, and Phillipines. The exact number of impacted computers is unclear.

There doesn’t seem to be a method to block the rootkit’s installation yet, but we expect that antivirus vendors will find a way soon. Bitdefender itself suggests running a scan using the Rescue mode, rather than the standard scanner.

You can download the white paper released by Bitdefender, to read more technical details about the Zacinlo rootkit.